MDVSA-2008:045

Problem description

Heap-based buffer overflow in the rmff_dump_cont function in
input/libreal/rmff.c in xine-lib 1.1.9 and earlier allows remote
attackers to execute arbitrary code via the SDP Abstract attribute,
related to the rmff_dump_header function and related to disregarding
the max field. Although originally a xine-lib issue, also affects
MPlayer due to code similarity. (CVE-2008-0225)

Multiple heap-based buffer overflows in the rmff_dump_cont function
in input/libreal/rmff.c in xine-lib 1.1.9 allow remote attackers
to execute arbitrary code via the SDP (1) Title, (2) Author, or
(3) Copyright attribute, related to the rmff_dump_header function,
different vectors than CVE-2008-0225. Although originally a xine-lib
issue, also affects MPlayer due to code similarity. (CVE-2008-0238)

Array index vulnerability in libmpdemux/demux_audio.c in MPlayer
1.0rc2 and SVN before r25917, and possibly earlier versions, as
used in Xine-lib 1.1.10, might allow remote attackers to execute
arbitrary code via a crafted FLAC tag, which triggers a buffer
overflow. (CVE-2008-0486)

Buffer overflow in stream_cddb.c in MPlayer 1.0rc2 and SVN
before r25824 allows remote user-assisted attackers to execute
arbitrary code via a CDDB database entry containing a long album
title. (CVE-2008-0629)

Buffer overflow in url.c in MPlayer 1.0rc2 and SVN before r25823 allows
remote attackers to execute arbitrary code via a crafted URL that
prevents the IPv6 parsing code from setting a pointer to NULL, which
causes the buffer to be reused by the unescape code. (CVE-2008-0630)